Description: fix rejection of v1 intermediate CA
 Fix bug that prevented the rejection of v1 intermediate CA
 certificates.
 Reported by Suman Jana.
 This is b1abfe3d182d68539900092eb42fc62cf1bb7e7c from upstream git,
 unfuzzed for 2.12.x by Andreas Metzler.
Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Origin: upstream
Bug: http://www.gnutls.org/security.html#GNUTLS-SA-2014-1
Forwarded: not-needed
Last-Update: 2014-02-15

--- gnutls26-2.12.23.orig/lib/x509/verify.c
+++ gnutls26-2.12.23/lib/x509/verify.c
@@ -644,8 +644,10 @@ _gnutls_x509_verify_certificate (const g
       /* note that here we disable this V1 CA flag. So that no version 1
        * certificates can exist in a supplied chain.
        */
-      if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
+      if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) {
         flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+	flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT;
+      }
       if ((ret =
            _gnutls_verify_certificate2 (certificate_list[i - 1],
                                         &certificate_list[i], 1, flags,